Google Gets the Giggles: Brute-Force Bug Leaves Accounts Vulnerable to Phone Number Prowlers!
BruteCat unearthed a flaw allowing brute-forcing of Google account recovery phone numbers using a deprecated form. By bypassing weak defenses, he accessed phone numbers, posing risks for phishing and SIM-swapping attacks. Google patched the flaw after initially downplaying its severity. BruteCat’s discovery highlights the need for robust security measures.
Hot Take:
Who knew that the secret to unlocking Google accounts was a game of phone tag? BruteCat’s discovery is like finding out you could open a bank vault with a rubber chicken. Thankfully, the vault’s been sealed, but not before giving us a heart attack. I guess Google’s motto should now be “Don’t be evil, and don’t leave the backdoor open!”
Key Points:
- BruteCat discovered a vulnerability allowing brute-forcing of Google account recovery phone numbers.
- The flaw involved a deprecated JavaScript-disabled Google username recovery form.
- Using IPv6 address rotation, BruteCat bypassed rate-limiting defenses.
- Google initially rated the issue low risk but later upgraded it to medium severity.
- The vulnerability has now been patched, ending this phone number guessing game.
Already a member? Log in here